Knative 事件的传输加密¶
标志名称: transport-encryption
阶段:Beta,默认禁用
跟踪问题: #5957
概述¶
默认情况下,集群内的事件传输是未加密的。这限制了可以传输的事件类型,只能传输合规性要求较低(或合规性策略宽松)的事件,或者迫使管理员使用服务网格或加密 CNI 来加密流量,这给 Knative 事件的采用者带来了许多挑战。
Knative Broker 和 Channel 提供 HTTPS 端点来接收事件。鉴于这些端点通常没有公共 DNS 名称(例如 svc.cluster.local 或类似的名称),它们需要由非公共 CA(集群或组织特定的 CA)签名。
事件生产者能够连接到带有集群内部 CA 证书的 HTTPS 端点。
先决条件¶
- 要启用传输加密功能,您需要按照 cert-manager 操作员安装说明 来安装 cert-manager 操作员。
- Eventing安装
安装¶
设置 SelfSigned ClusterIssuer¶
注意
ClusterIssuer 是 Kubernetes 资源,代表能够通过响应证书签名请求来生成签名证书的证书颁发机构 (CA)。所有 cert-manager 证书都需要一个处于就绪状态的引用颁发者来尝试响应请求。参考:cert-manager.io/docs/concepts/issuer/
重要
为了简化本指南,我们将使用 SelfSigned 颁发者作为根证书,但请注意此方法所带来的影响和限制,如 cert-manager.io/docs/configuration/selfsigned/ 中所述。如果您运行的是公司专用的私钥基础设施 (PKI),我们建议使用 CA 颁发者。有关更多详细信息,请参阅 cert-manager 文档:cert-manager.io/docs/configuration/ca/,但您也可以使用任何其他可用于集群内部服务的颁发者。
- 创建
SelfSignedClusterIssuerapiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: knative-eventing-selfsigned-issuer spec: selfSigned: {} - 应用
ClusterIssuer资源$ kubectl apply -f <filename> - 使用先前创建的
SelfSignedClusterIssuer创建根证书apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: knative-eventing-selfsigned-ca namespace: cert-manager # the cert-manager operator namespace spec: # Secret name later used for the ClusterIssuer for Eventing secretName: knative-eventing-ca isCA: true commonName: selfsigned-ca privateKey: algorithm: ECDSA size: 256 issuerRef: name: knative-eventing-selfsigned-issuer kind: ClusterIssuer group: cert-manager.io - 应用
Certificate资源$ kubectl apply -f <filename>
为事件设置 ClusterIssuer¶
-
为事件创建
knative-eventing-ca-issuerClusterIssuer!!! important# This is the issuer that every Eventing component use to issue their server's certs. apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: knative-eventing-ca-issuer spec: ca: # Secret name in the Cert-Manager Operator namespace (cert-manager by default) containing # the certificate that can then be used by Knative Eventing components for new certificates. secretName: knative-eventing-caClusterIssuer的名称必须是knative-eventing-ca-issuer。 -
应用
ClusterIssuer资源$ kubectl apply -f <filename>
为事件组件安装证书¶
事件组件使用 cert-manager 颁发者和证书来提供 TLS 证书,在发布资产中,我们发布了可以根据需要自定义的事件服务器证书。
- 安装证书,运行以下命令
kubectl apply -f https://github.com/knative/eventing/releases/download/knative-v1.21.0/eventing-tls-networking.yaml - [可选] 如果您正在使用 Eventing Kafka 组件,请通过运行以下命令安装 Kafka 组件的证书
kubectl apply -f https://github.com/knative-extensions/eventing-kafka-broker/releases/download/knative-v1.21.0/eventing-kafka-tls-networking.yaml - 验证颁发者和证书是否就绪示例输出
kubectl get certificates.cert-manager.io -n knative-eventingNAME READY SECRET AGE imc-dispatcher-server-tls True imc-dispatcher-server-tls 14s mt-broker-filter-server-tls True mt-broker-filter-server-tls 14s mt-broker-ingress-server-tls True mt-broker-ingress-server-tls 14s selfsigned-ca True eventing-ca 14s ...
传输加密配置¶
transport-encryption 功能标志是一个枚举配置,用于配置 Addressables(Broker、Channel、Sink)应如何接受事件。
transport-encryption 的可能值为
disabled(这等同于当前行为)- Addressables 可以接受 HTTPS 端点的事件
- 生产者可以发送事件到 HTTPS 端点
permissive- Addressables 应接受 HTTP 和 HTTPS 端点的事件
- Addressables 应宣传 HTTP 和 HTTPS 端点
- 生产者应优先将事件发送到 HTTPS 端点(如果可用)
strict- Addressables 必须不接受非 HTTPS 端点的事件
- Addressables 必须只宣传 HTTPS 端点
重要
strict 仅在 Broker 和 Channel 接收器/入口处强制执行。当 broker 或 channel 将事件发送到订阅者时,如果该订阅者只有一个 HTTP 地址,则 broker 或 channel 仍然可以通过 HTTP 而不是 HTTPS 发送事件。
例如,要启用 strict 传输加密,config-features ConfigMap 将如下所示
apiVersion: v1
kind: ConfigMap
metadata:
name: config-features
namespace: knative-eventing
data:
transport-encryption: "strict"
配置其他 CA 信任捆绑包¶
默认情况下,事件客户端信任系统根 CA(公共 CA)。
如果您需要为事件添加额外的 CA 捆绑包,可以通过在 knative-eventing 命名空间中创建带有标签 networking.knative.dev/trust-bundle: true 的 ConfigMap 来实现。
重要
每当更新 CA 捆绑包 ConfigMap 时,事件客户端将在建立新连接时自动将它们添加到其受信任的 CA 捆绑包中。
- 为事件创建 CA 捆绑包
kind: ConfigMap metadata: name: my-org-eventing-bundle namespace: knative-eventing labels: networking.knative.dev/trust-bundle: "true" # All data keys containing valid PEM-encoded CA bundles will be trusted by Eventing clients. data: ca.crt: ... ca1.crt: ... tls.crt: ...
重要
使用一个不太可能与现有或未来的事件提供的 ConfigMap 名称冲突的名称。
对于分发 CA 信任捆绑包,您可以利用 trust-manager,但这不是必需的。
信任特定事件发送方的 CA¶
事件源、触发器或订阅被视为事件发送方,并且可以配置它们来信任特定的 CA 证书。
重要
CA 证书必须是 PEM 格式的证书。由于这是一个多行 YAML 字符串,请确保 CACerts 值缩进正确,否则在创建资源时将不会被接受。
触发器和订阅可以配置如下
spec:
# ...
subscriber:
uri: https://mycorp-internal-example.com/v1/api
CACerts: |-
-----BEGIN CERTIFICATE-----
MIIFWjCCA0KgAwIBAgIQT9Irj/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBF
eHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUwMzEzMDAwMDAwWhcNMzgxMjMx
MDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNV
BAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog
D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvS
sPGP2KxFRv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aop
O2z6+I9tTcg1367r3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dk
sHYf5BA1FxvyDrFspCqjc/wJHx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfi
c0CTuwjRP+H8C5SzJe98ptfRr5//lpr1kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpj
VMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhTA8ykADNkUVkLo4KRel7sFsLz
KuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fVUbGAIAEBtHoIppB/
TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfblLkWU41G
sx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs
1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQD
fwIDAQABo0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaN
l8xCFWQpN5smLNb7rhVpLGsaGvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAUR
ap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZLcpHIojG5qtr8nR/zXUACE/xOHAbKsxSQ
VBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8dGT9cZr4QQehzZHkPJrgmzI5
c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC78zhNLJA5wA3CXWvp
4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliRn+/4Qh8s
t2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj
2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWO
vpaQXUJXxPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2C
xR9GUeOcGMyNm43sSet1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmx
cmtpzyKEC2IPrNkZAJSidjzULZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbM
fjKaiJUINlK73nZfdklJrX+9ZSCyycErdhh2n1ax
-----END CERTIFICATE-----
类似地,源可以配置如下
spec:
# ...
sink:
uri: https://mycorp-internal-example.com/v1/api
CACerts: |-
-----BEGIN CERTIFICATE-----
MIIFWjCCA0KgAwIBAgIQT9Irj/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBF
eHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUwMzEzMDAwMDAwWhcNMzgxMjMx
MDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNV
BAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog
D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvS
sPGP2KxFRv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aop
O2z6+I9tTcg1367r3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dk
sHYf5BA1FxvyDrFspCqjc/wJHx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfi
c0CTuwjRP+H8C5SzJe98ptfRr5//lpr1kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpj
VMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhTA8ykADNkUVkLo4KRel7sFsLz
KuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fVUbGAIAEBtHoIppB/
TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfblLkWU41G
sx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs
1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQD
fwIDAQABo0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaN
l8xCFWQpN5smLNb7rhVpLGsaGvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAUR
ap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZLcpHIojG5qtr8nR/zXUACE/xOHAbKsxSQ
VBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8dGT9cZr4QQehzZHkPJrgmzI5
c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC78zhNLJA5wA3CXWvp
4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliRn+/4Qh8s
t2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj
2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWO
vpaQXUJXxPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2C
xR9GUeOcGMyNm43sSet1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmx
cmtpzyKEC2IPrNkZAJSidjzULZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbM
fjKaiJUINlK73nZfdklJrX+9ZSCyycErdhh2n1ax
-----END CERTIFICATE-----
配置自定义事件源以信任事件 CA¶
创建自定义事件源的推荐方法是使用 SinkBinding,SinkBinding 将作为投影卷将配置的 CA 信任捆绑包注入到每个容器中,使用目录 /knative-custom-certs。
注意
一些组织可能会将公司特定的 CA 信任捆绑包注入到基础容器镜像中,并自动配置运行时(openjdk、node 等)来信任该 CA 捆绑包。在这种情况下,您可能不需要配置您的客户端。
使用 my-org-eventing-bundle ConfigMap 的前面示例,其中数据键为 ca.crt、ca1.crt 和 tls.crt,您将有一个 /knative-custom-certs 目录,其布局如下
/knative-custom-certs/ca.crt
/knative-custom-certs/ca1.crt
/knative-custom-certs/tls.crt
然后,可以使用这些文件将 CA 信任捆绑包添加到向事件发送事件的 HTTP 客户端。
注意
根据您使用的运行时、编程语言或库,有不同的方法可以使用命令行标志、环境变量或读取文件内容来配置自定义 CA 证书文件。有关更多详细信息,请参阅其文档。
将 SelfSigned ClusterIssuer 添加到 CA 信任捆绑包¶
如果您正在使用 设置自签名集群颁发者 部分中描述的 SelfSigned ClusterIssuer,您可以通过运行以下命令将 CA 添加到事件 CA 信任捆绑包中
- 从 OpenShift cert-manager 操作员命名空间中的 knative-eventing-ca secret 导出 CA,默认情况下是 cert-manager
$ kubectl get secret -n cert-manager knative-eventing-ca -o=jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt - 在
knative-eventing命名空间中创建 CA 信任捆绑包$ kubectl create configmap -n knative-eventing my-org-selfsigned-ca-bundle --from-file=ca.crt - 使用 networking.knative.dev/trust-bundle: "true" 标签标记 ConfigMap
$ kubectl label configmap -n knative-eventing my-org-selfsigned-ca-bundle networking.knative.dev/trust-bundle=true
验证功能是否正常工作¶
将以下YAML保存到名为default-broker-example.yaml的文件中
# default-broker-example.yaml
apiVersion: eventing.knative.dev/v1
kind: Broker
metadata:
name: br
---
apiVersion: eventing.knative.dev/v1
kind: Trigger
metadata:
name: tr
spec:
broker: br
subscriber:
ref:
apiVersion: v1
kind: Service
name: event-display
---
apiVersion: v1
kind: Service
metadata:
name: event-display
spec:
selector:
app: event-display
ports:
- protocol: TCP
port: 80
targetPort: 8080
---
apiVersion: v1
kind: Pod
metadata:
name: event-display
labels:
app: event-display
spec:
containers:
- name: event-display
image: gcr.io/knative-releases/knative.dev/eventing/cmd/event_display
imagePullPolicy: Always
ports:
- containerPort: 8080
将 default-broker-example.yaml 文件应用到测试命名空间 transport-encryption-test
kubectl create namespace transport-encryption-test
kubectl apply -n transport-encryption-test -f defautl-broker-example.yaml
验证地址是否全部为 HTTPS
kubectl get brokers.eventing.knative.dev -n transport-encryption-test br -oyaml
示例输出
apiVersion: eventing.knative.dev/v1
kind: Broker
metadata:
# ...
name: br
namespace: transport-encryption-test
# ...
status:
address:
CACerts: |
-----BEGIN CERTIFICATE-----
MIIBbzCCARagAwIBAgIQAur7vdEcreEWSEQatCYlNjAKBggqhkjOPQQDAjAYMRYw
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwMzA4MzA1N1oXDTIzMTEwMTA4
MzA1N1owGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBqkD9lAwrnXCo/OOdpKzJROSbzCeC73FE/Np+/j8n862Ox5xYwJ
tAp/o3RDpDa3omhzqZoYumqdtneozGFY/zGjQjBAMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSHoKjXzfxfudt3mVGU3VudSi6TrTAK
BggqhkjOPQQDAgNHADBEAiA5z0/TpD7T6vRpN9VQisQMtum/Zg3tThnYA5nFnAW7
KAIgKR/EzW7f8BPcnlcgXt5kp3Fdqye1SAkjxZzr2a0Zik8=
-----END CERTIFICATE-----
name: https
url: https://broker-ingress.knative-eventing.svc.cluster.local/transport-encryption-test/br
addresses:
- CACerts: |
-----BEGIN CERTIFICATE-----
MIIBbzCCARagAwIBAgIQAur7vdEcreEWSEQatCYlNjAKBggqhkjOPQQDAjAYMRYw
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwMzA4MzA1N1oXDTIzMTEwMTA4
MzA1N1owGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBqkD9lAwrnXCo/OOdpKzJROSbzCeC73FE/Np+/j8n862Ox5xYwJ
tAp/o3RDpDa3omhzqZoYumqdtneozGFY/zGjQjBAMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSHoKjXzfxfudt3mVGU3VudSi6TrTAK
BggqhkjOPQQDAgNHADBEAiA5z0/TpD7T6vRpN9VQisQMtum/Zg3tThnYA5nFnAW7
KAIgKR/EzW7f8BPcnlcgXt5kp3Fdqye1SAkjxZzr2a0Zik8=
-----END CERTIFICATE-----
name: https
url: https://broker-ingress.knative-eventing.svc.cluster.local/transport-encryption-test/br
annotations:
knative.dev/channelAPIVersion: messaging.knative.dev/v1
knative.dev/channelAddress: https://imc-dispatcher.knative-eventing.svc.cluster.local/transport-encryption-test/br-kne-trigger
knative.dev/channelCACerts: |
-----BEGIN CERTIFICATE-----
MIIBbzCCARagAwIBAgIQAur7vdEcreEWSEQatCYlNjAKBggqhkjOPQQDAjAYMRYw
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwMzA4MzA1N1oXDTIzMTEwMTA4
MzA1N1owGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBqkD9lAwrnXCo/OOdpKzJROSbzCeC73FE/Np+/j8n862Ox5xYwJ
tAp/o3RDpDa3omhzqZoYumqdtneozGFY/zGjQjBAMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSHoKjXzfxfudt3mVGU3VudSi6TrTAK
BggqhkjOPQQDAgNHADBEAiA5z0/TpD7T6vRpN9VQisQMtum/Zg3tThnYA5nFnAW7
KAIgKR/EzW7f8BPcnlcgXt5kp3Fdqye1SAkjxZzr2a0Zik8=
-----END CERTIFICATE-----
knative.dev/channelKind: InMemoryChannel
knative.dev/channelName: br-kne-trigger
conditions:
# ...
使用 HTTPS 端点向 Broker 发送事件
kubectl run curl -n transport-encryption-test --image=curlimages/curl -i --tty -- sh
将 Broker 的 .status.address.CACerts 字段中的 CA 证书保存到 /tmp/cacerts.pem
cat <<EOF >> /tmp/cacerts.pem
-----BEGIN CERTIFICATE-----
MIIBbzCCARagAwIBAgIQAur7vdEcreEWSEQatCYlNjAKBggqhkjOPQQDAjAYMRYw
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwMzA4MzA1N1oXDTIzMTEwMTA4
MzA1N1owGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABBqkD9lAwrnXCo/OOdpKzJROSbzCeC73FE/Np+/j8n862Ox5xYwJ
tAp/o3RDpDa3omhzqZoYumqdtneozGFY/zGjQjBAMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSHoKjXzfxfudt3mVGU3VudSi6TrTAK
BggqhkjOPQQDAgNHADBEAiA5z0/TpD7T6vRpN9VQisQMtum/Zg3tThnYA5nFnAW7
KAIgKR/EzW7f8BPcnlcgXt5kp3Fdqye1SAkjxZzr2a0Zik8=
-----END CERTIFICATE-----
EOF
通过运行以下命令发送事件
curl -v -X POST -H "content-type: application/json" -H "ce-specversion: 1.0" -H "ce-source: my/curl/command" -H "ce-type: my.demo.event" -H "ce-id: 6cf17c7b-30b1-45a6-80b0-4cf58c92b947" -d '{"name":"Knative Demo"}' --cacert /tmp/cacert
s.pem https://broker-ingress.knative-eventing.svc.cluster.local/transport-encryption-test/br
示例输出
* processing: https://broker-ingress.knative-eventing.svc.cluster.local/transport-encryption-test/br
* Trying 10.96.174.249:443...
* Connected to broker-ingress.knative-eventing.svc.cluster.local (10.96.174.249) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /tmp/cacerts.pem
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: O=local
* start date: Aug 3 08:31:02 2023 GMT
* expire date: Nov 1 08:31:02 2023 GMT
* subjectAltName: host "broker-ingress.knative-eventing.svc.cluster.local" matched cert's "broker-ingress.knative-eventing.svc.cluster.local"
* issuer: CN=selfsigned-ca
* SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* h2 [:method: POST]
* h2 [:scheme: https]
* h2 [:authority: broker-ingress.knative-eventing.svc.cluster.local]
* h2 [:path: /transport-encryption-test/br]
* h2 [user-agent: curl/8.2.1]
* h2 [accept: */*]
* h2 [content-type: application/json]
* h2 [ce-specversion: 1.0]
* h2 [ce-source: my/curl/command]
* h2 [ce-type: my.demo.event]
* h2 [ce-id: 6cf17c7b-30b1-45a6-80b0-4cf58c92b947]
* h2 [content-length: 23]
* Using Stream ID: 1
> POST /transport-encryption-test/br HTTP/2
> Host: broker-ingress.knative-eventing.svc.cluster.local
> User-Agent: curl/8.2.1
> Accept: */*
> content-type: application/json
> ce-specversion: 1.0
> ce-source: my/curl/command
> ce-type: my.demo.event
> ce-id: 6cf17c7b-30b1-45a6-80b0-4cf58c92b947
> Content-Length: 23
>
< HTTP/2 202
< allow: POST, OPTIONS
< content-length: 0
< date: Thu, 03 Aug 2023 10:08:22 GMT
<
* Connection #0 to host broker-ingress.knative-eventing.svc.cluster.local left intact